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We  show  the  use  of  a  reconhgurable  computer  in  computing  the  correlation  immunity  of 
Boolean  functions  of  up  to  6  variables.  Boolean  functions  with  high  correlation  immunity 
are  desired  in  cryptographic  systems  because  they  are  immune  to  correlation  attacks.  The 
SRC-6  reconhgurable  computer  was  programmed  in  Verilog  to  compute  the  correlation 
immunity  of  functions.  This  computation  is  performed  at  a  rate  that  is  190  times  faster 
than  a  conventional  computer. 

Our  analysis  of  the  correlation  immunity  is  across  all  n-variable  Boolean  functions, 
for  2  <  n  <  6,  thus  obtaining,  for  the  first  time,  a  complete  distribution  of  such  func¬ 
tions.  We  also  compare  correlation  immunity  with  two  other  cryptographic  properties, 
nonlinearity  and  degree. 
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1.  Introduction 

The  correlation  immunity  of  a  Boolean  function  measures  the  extent  the  variable 
values  can  be  guessed  given  the  function  value.  When  Boolean  functions  are  used 
in  encryption,  functions  with  high  correlation  immunity  (along  with  other  crypto¬ 
graphic  properties)  are  preferred,  since  they  are  less  susceptible  to  an  attack  than 
functions  with  low  correlation  immunity.  Interest  in  this  topic  developed  because 
Siegenthaler  [28]  in  1984  showed  how  an  attack  can  be  effectively  applied  to  encryp¬ 
tion  systems  using  functions  with  low  correlation  immunity. 

Correlation  immune  (Cl)  functions  are  also  used  in  machine  learning  (see  [1,  22]): 
a  “greedy”  method  to  obtain  a  decision  tree  representation  of  a  Boolean  function 
given  just  a  set  of  input-output  pairs  proceeds  by  choosing  (recursively)  a  node 
of  the  tree  to  maximize  a  cost  indicator  (information  gain).  However,  if  the  func¬ 
tion  happens  to  have  non-zero  correlation  immunity,  this  cost  function  is  zero  and 
thus  not  useful;  i.e. ,  a  decision  tree  representation  cannot  be  obtained  in  the  case 
of  a  function  that  has  non-zero  correlation  immunity.  Since  most  n-variable  func¬ 
tions  have  zero  correlation  immunity  for  n  >  2,  the  greedy  method  works  for  most 
functions. 

We  show  that  a  reconhgurable  computer  is  effective  in  enumerating  Boolean 
functions  according  to  their  correlation  immunity.  Especially,  we  can  compare 
Boolean  functions  with  respect  to  various  cryptographic  properties,  including  non¬ 
linearity  and  degree  due  to  prior  use  of  a  reconhgurable  computer  in  computing 
these  cryptographic  properties  [27].  Since  Rotlraus’  original  paper  on  bent  func¬ 
tions  in  1976  [23],  there  has  been  much  work  on  the  cryptographic  properties  of 
Boolean  functions  [11].  Such  properties  include  strict  avalanche  criterion  [14,30], 
propagation  criteria  [20],  and  algebraic  immunity  [9, 10].  We  have  previously  shown 
a  60,000 x  speed-up  in  using  a  reconhgurable  computer  to  compute  bent  functions 

[27]. 

2.  Some  definitions 

In  this  paper,  we  use  the  Landau  symbol  O  with  its  usual  meaning.  Specifically, 
/  =  O(g)  means  \f(x)\  <  c\g(x)\  holds  with  some  constant  c,  for  x  sufficiently  large. 
Also,  we  write  /  ~  g  if  Hindoo  =  1. 

Let  F2  be  the  prime  field  of  characteristic  2.  For  any  positive  integer  n,  the  set 
[n]  :=  {l,...,n}.  Let  =  {x  =  (x\,..,,xn)  :  Xi  G  F2,  for  allz  G  [n]}  be  the 
vector  space  of  dimension  n  over  F2.  Any  function  from  FJ  to  F2  is  said  to  be  a 
Boolean  function  on  n  variables,  whose  set  is  denoted  by  *Bn.  Addition  over  F2  and 
Fj  are  both  denoted  by  ©,  whereas  addition  over  integers  is  denoted  by  +.  For  any 
x  G  F2 ,  the  weight  of  x  is  wt(x)  =  ^"=1  x% •  The  algebraic  normal  form  (ANF)  of 
a  Boolean  function  /  G  is 

/ ( X\ ,■■■■,  Xn)  =  •  •  •  Xnn  , 

a=(ai  ,...,an)£lF2 
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where  /ia  G  F£,  for  all  a  G  F£,  and  where  a;®4  =  1  if  a*  =  0  and  x “4  =  Xi  if  a*  =  1. 
The  algebraic  degree  of  /  is  deg(/)  =  max{wt(a)  :  pa  7^  0}.  The  Fourier  transform 

a£F£ 

or  the  Fourier  coefficient  of  /  E  23 n  at  u  G  is 

/(u)=2-n  ^  (_i)/(x)(_i)ux, 

xeFj 

where  u  •  x  =  ©”=1  uixi  is  the  inner  product  of  u  =  (ui, . . .  ,un)  and  x  = 
(xi, . . . ,  xn).  The  Walsh-Hadamard  transform  of  /  G  at  u  G  F£  is  W/(u)  = 
2”/(u). 

The  set  of  Fourier  coefficients  {/(u)  :  u  G  F£  }  is  said  to  be  the  Fourier  spectrum 
of  /.  The  set  of  Walsh-Hadamard  coefficients  {W/(u)  :  u  G  F^}  is  said  to  be 
the  Walsh-Hadamard  spectrum  of  /.  These  transforms  are  invertible,  since,  for  all 
xGF" 

(_1}/(x)=2-n  £  W)(u)(-ir*  =  £  /(u)(-dux- 


u£F£ 


u£F£ 


The  Walsh-Hadamard  spectrum  of  any  Boolean  function  /  G  is  constrained  by 
Parseval’s  identity 


E  Wf(u)2  =  22n. 


(1) 


u£F£ 


'  0<i,j<2 

vector  with  n  components),  or  inductively,  Hi  =  (1),  H2  = 


Hn  =  Hi  (8»  Hn_i  = 


and,  in  general, 
(’(8>’  is  the  Kronecker  product).  It  is  known 


Since,  it  will  be  used  later,  we  introduce  below  the  2"  x  2"  Walsh-Hadamard 
matrix  Hn  =  ((-ijW-W)  ^  (6(i)  is  the  binary  expansion  of  i  written  as  a 

'1  1 
.1  -1, 

' Hn- r  Hn—i 
\Un—i  Hn—i  y 

that  W/  =  U„(-l)/. 

The  weight  of  a  Boolean  function  is  the  weight  of  its  truth  (output)  table.  An 
n-variable  function  /  is  balanced  if  its  truth  table  has  as  many  0’s  as  l’s;  that  is,  its 
weight  is  exactly  2n~1. 

Example  1.  The  weight  of  the  AND  function  /(x)  =  X1X2  ■  ■  ■  xn  is  1.  The  weight 
of  the  exclusive  OR  function  /(x)  =  Xi  ©  X2  ©  •  •  •  ©  xn  is  2n~1 .  The  exclusive  OR 
function  is  balanced. 

An  ?i-variable  function  /  has  correlation  immunity  of  order  0  <  k  <  n  if  and 
only  if,  for  every  fixed  set  S  of  k  variables,  and  for  every  assignment  of  values  to  the 
variables  in  S,  the  weights  of  all  subfunctions  are  the  same.  An  ?r-variable  function 
/  is  resilient  of  order  k  if  it  is  balanced  and  has  correlation  immunity  of  order  k. 

An  n-variable  function  /  is  correlation  immune  if  and  only  if  its  correlation 
immunity  k  is  1  or  more.  An  n-variable  function  /  is  resilient  if  and  only  if  it 
is  balanced  and  correlation  immune.  When  a  function  has  correlation  immunity 
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(resiliency)  k  but  not  k  +  1,  we  will  describe  such  a  function  as  exact  correlation 
immune  (resilient)  of  order  k. 

The  following  result  characterizes  correlation  immunity  (resiliency)  (see  [11]). 
Theorem  1.  The  following  are  true. 

( i )  An  n-variable  function  f  has  correlation  immunity  (respectively,  resiliency) 
of  at  least  order  k  if  and  only  ifWf(a)  =  0,  for  all  a  £  with  1  <  wt(a)  < 
k  (respectively,  0  <  wt(a)  <  k). 

(it)  An  n-variable  function  f  has  correlation  immunity  of  at  least  order  k  if  and 
only  if  f  ®  Xj,  ©  Xi2  ®  •  •  •  ©  Xik  is  balanced  for  all  1  <  i\  <  . . .  <  ik  <  n. 

Correlation  immunity  describes  the  extent  to  which  the  variable  values  can  be 
guessed,  given  the  function  value.  A  function  that  has  low  correlation  immunity  is 
the  AND  function  on  n  >  1  variables.  For  example,  if  this  function’s  output  value  is 
1,  then  the  input  variable  values  are  (x±,X2,  •  •  • ,  xn)  =  (1, 1, . . . ,  1)  with  probability 
100%.  On  the  other  hand,  when  this  function’s  output  value  is  0,  there  is  a  large 
uncertainty  as  to  which  variable  values  caused  this  (from  among  2”  —  1  values).  In 
a  function  with  high  correlation  immunity,  knowing  the  function’s  value  yields  an 
equal  uncertainty  as  to  the  variables’  values  that  produced  that  function’s  value. 
For  example,  in  the  exclusive  OR  function  /  =  X\  ©  X2  ©  •  •  •  ©  xn,  half  of  the 
assignments  of  values  to  the  variables  yield  /  =  0  and  half  yield  /  =  1.  Therefore, 
knowing  that  /  =  0  or  /  =  1  yields  the  same  uncertainty  regarding  the  assignment 
of  values  to  the  variables.  If  we  choose  any  pair  of  variables  and  any  of  the  four 
assignments  of  values  to  the  pair  (00,01,10,11),  we  also  have  an  equal  uncertainty 
as  to  which  of  the  remaining  assignments  yield  /  =  0  and  /  =  1. 

Consider  the  exclusive  OR  function  /  =  X\  ®X2  ©  •  •  •  ®xn,  and  consider  a  subset 

5  of  1  <  k  <  n  variables.  By  symmetry,  these  might  as  well  be  the  last  k.  When 
they  are  fixed,  the  resulting  subfunction  is  either  x\  ©•  •  -®xn-k,  or  its  complement. 
Either  choice  has  weight  2"_fc_1.  Therefore,  /  has  correlation  immunity  of  order 
k.  Note,  however  that  it  does  not  have  order  n  correlation  immunity,  because,  by 
fixing  the  (unique)  set  of  variables  of  cardinality  n,  the  function  becomes  constant 
(either  0,1),  which  are  evidently,  not  balanced.  It  follows  that  this  function  has 
exact  correlation  immunity  of  n  —  1.  We  shall  see  later  that  the  algebraic  degree 
and  immunity  are  constrained. 

We  recall  here  that  a  barbell  function  is  the  function  X\X2  •  ■  ■  xn  ©  X1X2  •  •  ■  xn 
or  its  complement.  A  threshold  function  is  a  function  /w,t  such  that  /w,t(x)  is 
1  if  the  weighted  sum  fZi-i  WiXi  >  T,  where  Xi  is  viewed  as  an  integer  equal 
to  its  logic  value  and  Wi  and  T  are  real  numbers.  The  Achilles  heel  function,  /  = 
X\X2®x^x^®-  •  ■®xn/2-\Xn/2,  for  n  even,  is  known  to  have  a  binary  decision  diagram 
whose  number  of  nodes  is  especially  sensitive  to  the  ordering  of  its  variables  [3] . 

Table  1  shows  the  correlation  immunity  of  several  example  functions,  including 
the  barbell,  threshold,  and  Achilles  heel  functions.  Since  functions  with  odd  l’s 
all  have  correlation  immunity  0,  more  than  one-half  of  the  Boolean  functions  have 
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Table  1.  Correlation  immunity  of  some  example  n- variable  Boolean  functions. 


Function 

Description 

Expression 

Correlation 

Immunity 

Constant 

/  =  o,  /  =  1 

n 

Parity 

/  =  .r,  0  x2  Q  ©  .r„,  /  O  1 

n  —  1 

Barbell 

/  =  x3x2  ■■■xn®  xix2  ■■■xn,  f  ©  1 

1 

Odd  Weight 

e-g-,  /  =  X\X2  ■  ■  ■  xn,  f  =  xx  V  x2  V  •  •  •  V  xn 

0 

Threshold 

e.g.,  /  =  XiX2  V  xxx3  V  x2x3 

0 

Achilles  Heel 

f  =  x3x2  ®  x3x4  ©  •  •  •  ®  xn/2_iXn/2,  n  even,  /  ©  1 

0 

In  applying  the  definition  of  the  correlation  immunity  to  determine  the  correla¬ 
tion  immunity  of  a  given  function,  it  was  convenient  to  specify  a  two-step  process. 
In  the  first  step,  we  specify  that  a  condition  hold  for  all  fc'-subsets  of  variables.  In 
the  second  step,  we  specify  that  a  condition  hold  across  all  assignments  of  values  to 
the  variables  chosen  in  the  first  step.  For  pedagogical  reasons,  we  could  view  this  as 
a  one-step  process.  That  is,  we  could  think  of  simultaneously  choosing  a  fc'-subset 
and  some  assignment  of  values  to  the  variables.  In  this  way,  we  produce  one  of  the 
(Z)2k  subfunctions  of  /.  The  definition  of  correlation  immunity  then  requires  that 
all  of  these  (Z)2k  subfunctions  have  the  same  weight.  The  maximum  k!  for  which 
this  is  true  is  the  exact  correlation  immunity  of  the  function.  This  viewpoint  will  be 
useful  in  the  description  of  the  circuit  to  compute  correlation  immunity  in  Section 
4. 

3.  Some  results  on  the  number  of  correlation  immune  and  resilient 

functions 

Various  results  are  known  about  the  tradeoff  among  cryptographic  properties  in¬ 
volving  correlation  immunity.  For  example,  if  /  is  a  Boolean  function  in  n  variables 
that  has  correlation  immunity  of  order  k,  then  2k  divides  the  Hamming  weight  of 
/.  Also,  if  /  is  a  Boolean  function  in  n  variables,  that  has  correlation  immunity 
of  order  k,  then  the  degree  d  of  /  is  at  most  n  —  k.  If  further,  /  is  balanced  and 
correlation  immune  of  order  1  or  more  (hence,  resilient)  and  k  <  n  —  1,  then  the 
degree  of  /  is  at  most  n—k—1.  Other  more  esoteric  results  exist,  like  the  fact  that 
if  /  has  correlation  immunity  k,  then  the  algebraic  normal  form  (positive  polarity 
Reed-Muller  form)  of  /  either  has  no  terms  of  degree  n  —  k  or  has  all  possible  terms 
of  degree  n  —  k. 

Camion  et  al.  [4]  attempted  a  nice  recursive  approach  for  the  construction  of  a 
resilient  function  /  on  n  +  1  variables.  It  is  based  on  the  Shannon  decomposition  of  a 
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Boolean  function  /,  where  /  =  xnf0\/xnfi,  such  that  f0  =  f\o->xn  and  fi  =  /|i_>.Xn. 
A  Boolean  function  is  ( k  +  l)-resilient  if  and  only  if  the  following  two  conditions 
hold: 


( i )  fo  and  /i  are  resilient  functions  of  order  fc; 

( ii )  for  all  n  component  vectors  v  of  weight  k  +  1,  the  Walsh-Hadamard  trans¬ 
form  equation  W/0(v)  +  IF/^v)  =  0  holds. 

Also,  if  the  degrees  of  /,  /o  and  /i  are  equal  (so,  deg(/o  ®  /i)  <  deg(/),  because 
otherwise,  we  would  have  deg(/o  ©  /i)  =  deg (/),  but  that  is  impossible  since  /  = 
foS)xn(fo®  fi)  and  so,  /  would  increase  its  degree),  then  /  has  its  maximum  degree 
n  +  1  —  (k  +  2)  if  and  only  if  /o  and  / 1  have  their  maximum  degree  n  —  (k  +  1). 

Improving  upon  an  interesting  result  obtained  by  Sarkar  and  Maitra  [24],  Car- 
let  [6]  showed  the  following  theorem. 

Theorem  2  ([6,  24])  If  a  degree  d  >  1,  n-variable  function  f  has  correlation  im¬ 
munity,  respectively,  resiliency  of  order  k,  then  its  Walsh-Hadamard  coefficients 
are  divisible  by  2fc+1+L  a  \t  respectively,  2fc+2+L  a  J.  Moreover,  the  nonlinear¬ 
ity  Nf  of  an  order  k  correlation  immune,  respectively,  resilient  function  f  satisfies 

2fe+(!^T  J  |  TVj  <  2n~1  —  2k,  respectively, 

2k+i+[^=^\  |  Nf  <  2n_1  -  2k+1. 

This  easily  implies  that  functions  whose  correlation  immunity  is  at  least  1  have  even 
nonlinearity,  and  if,  in  addition,  they  are  balanced,  their  nonlinearity  is  divisible 
by  4. 

Let  CI(n,k)  (respectively,  BCI{n,k ))  be  the  number  of  exact  order  k  corre¬ 
lation  immune,  (respectively,  further  balanced)  n-variable  Boolean  functions.  The 
notations  C/(n,  k,  d),  BCI{n ,  k,  d)  restricts  the  previous  count  to  degree  d  Boolean 
functions. 

Theorem  3.  The  following  are  true: 

(i)  BCI(n,  n,  0)  =  0,C7(n,n,0)  =  2,  CI(n,k,l)  =  BCI(n,k,  1)  =  2^), 
0  <  k  <  n  —  1. 

(ii)  BCI(n,  n  —  2)  =  2(n"1)  =  2n. 

(in)  BCI(n,  n  -  3)  =  "(»-i)C3»-2)(»+i)  +  2(^2) . 

(iv)  BCI(n,k,d)  =  0,  if  n  >  (n  —  k  —  l)2d_1;  in  particular,  BCI(n,k,2)  =  0, 
for  all  k  >  f. 

(v)  CI(n,n  —  I,  2)  =0,  if  n  >  4k  —  5;  in  particular,  CI(n,n  —  2,2)  =  0,  if 
n  >  3. 

Proof.  We  first  show  (i).  Let  /  be  an  affine  function,  /(x)  =  0”=1  CiXi  ©  c,  Cj,  c  € 
F2.  Certainly,  correlation  immunity  is  preserved  by  complementation.  So,  from  here 
on,  we  always  assume  that  the  constant  c  =  0.  We  next  take  K  to  be  the  exact 
number  of  nonzero  coefficients,  say  cij  =  !,!<_)<  K.  If  K  =  0,  then  /  is  constant 
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(hence,  non-balanced)  and  we  see  that  the  constant  functions  1,0  are  correlation 
immune  of  order  n. 

If  K  >  0,  then  /  is  balanced.  So,  the  number  of  correlation  immune  functions 
of  whatever  order  will  match  the  number  of  resilient  functions  of  the  same  order. 
Using  Theorem  1,  we  see  that  /  is  not  correlation  immune  (resilient)  of  order  K, 
since  /  ®  ®  •  •  •  ©  XiK  =  0.  Hence,  /  is  not  balanced.  However,  /  is  correlation 

immune  (resilient)  of  order  k  :=  K  —  1,  since  then  /  ®  ©  ■  ■  •  ®  Xi-  =  0,  j  <  K  —  1 

will  be  nonzero  and  linear,  hence  balanced.  There  are  ways  of  choosing  the 

nonzero  coefficients,  and  (?)  follows.  Certainly,  ( ii )  follows  by  the  same  argument, 
since  we  know  that  a  function  that  is  resilient  of  order  n  —  2  must  have  degree  <  1. 

Next,  the  first  term  from  claim  {Hi)  was  found  in  [4]  and  counts  the  number  of 
resilient  of  order  n  —  3  quadratic  Boolean  functions.  The  second  term  corresponds 
to  affine  resilient  functions  of  order  n  —  3,  and  follows  from  (i). 

Item  (iv)  is  from  Tarannikov  et  al  [29]  .  Next,  we  show  ( v ).  We  recall  the 
interesting  upper  bound  of  [29]  for  the  correlation  immunity  order  k  of  an  unbalanced 
Boolean  function  in  n  variables,  namely 


k  < 


3n  —  5 


(2) 


For  k  :=  n  —  2,  n  >  4,  this  would  imply  n  —  2  < 


3n— 5 


,  which  contradicts  n  >  4, 


and  this  shows  that  there  are  no  unbalanced  quadratic  Boolean  functions  that  are 
correlation  immune  of  order  k.  If  /  is  balanced  and  correlation  immune  of  order 
n  —  2,  then  we  can  apply  ( iv ),  or  observe  that  the  degree  of  /  cannot  exceed  1  and 
so,  /  cannot  be  quadratic.  n 


Remark  4.  Bierbrauer  and  Friedman  [2, 15]  found  the  following  bound  on  the 
Hamming  weight  of  a  function  f  that  is  correlation  immune  of  order  k 


wt{f)  >  2n 


2  {k  +  1)  —  n 
2  {k  + 1) 


which  gives  further  constraints  on  the  parameters  of  a  correlation  immune  Boolean 
function. 


Denisov  [12]  found  that  the  number  of  n-variable  correlation  immune  functions 
of  order  k,  say  CI(n,k),  is  asymptotically 

CI{n,  k)  ~  22"+‘2-fc(2”-17r)-(M-1)/2, 

where  M  =  Y^lj=o  ( j)  and  Q  ~  ]Cj=ij(j)-  Denisov  published  a  “correction”  in 
2000  (see  [13]),  but  it  turns  out  that  his  original  result  was  correct  and  the  latter 
paper  is  incorrect,  as  was  shown  by  Canfield  et  al.  [5].  For  k  =  1,  one  can  get  a 
simpler  estimate 

1  /  8  \ 

CI(n,  1)  ~  Dn  =  -  (  —  J  22  ~n  /2,  as  n  — >  oo. 
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A  more  refined  version  of  the  approximation  for  C/(n,  1)  was  computed  by  Bach  [1] 

C/(M)  =  C„(  l-^  +  o(^)). 

Denisov  [12]  also  showed  that  the  number  BCI(n,k)  of  balanced  and  correlation 
immune  (resilient)  functions,  satisfies  the  asymptotic  formula 

BCI{n,k )  ~  22"-(£)(”-fc)/2(2/7r)M/2,  as  n  ->  oo, 

where  M  =  X)*=0  (") . 

There  are  various  results  concerning  bounds  on  the  number  of  correlation  im¬ 
mune  and/or  resilient  functions  and  the  interested  reader  can  find  some  in  the  listed 
references  (or  elsewhere).  Also,  Yang  and  Guo  [31]  found  in  1995  that  the  number 
of  correlation  immune  functions  of  order  1  is  upper  bounded  by 


ci(n,  i)  < 


k— 0  r=0 


2"-2\2/2r!-2x  2 
k  —  r 


Le  Bars  and  Viola  [16]  found  a  lower  bound  for  the  number  of  resilient  Boolean 
functions  of  order  1,  namely 

BCI(n,  1)  >  22r,-n2+^n+1e^-n(mr)n/2. 


A  quick  analysis  of  this  lower  bound  gives  us  a  ‘glimpse’  at  the  complexity  of 
completely  enumerating  all  resilient  functions  for  n  =  6,  7:  if  n  =  6  there  are  more 
than  242  7' ,  and  for  n  =  7,  there  are  more  than  296  '2  resilient  Boolean  functions.  By 
using  a  construction  of  a  resilient  of  order  k  function  in  n  variables  from  a  resilient 
of  order  1  in  n  —  k  +  1  variables,  Le  Bars  and  Viola  found  (for  free)  the  following 
lower  bound  for  the  number  of  resilient  of  order  k  functions 

BCI{n,  k)  >  22"-fc+1— (n— fc+ip+Kn— fc+L+igfc— i  ((n  —  k  l)7r)(ra_fc+1l/2, 


which  can  be  combined  with  Schneider’s  bound  [25,  26]  for  0  <  k  <  n, 


n—k 

BCI(n,  k )  <  [j 
i= i 


The  previous  bound  is  rather  weak  for  high  order  of  resiliency,  and  it  was  slightly 
improved  by  Carlet  and  Klapper  [8],  who  showed  that  BCI(n ,  k )  is  upper  bounded 

by 


2^? 


(?)  -  2^" 


(?) 


222fc+1  — 1 

2i+£"=-ofc-1  (?)-££ 


+  2i:r=ofe-2(?) 


-k-l  (k- 1 


(V)(l  +  e)  +  2^--2(?), 


for  2  <  k  <  n/2 


2-n((2'*/n)1/2);  for  n/2  <  k  <  n 


and  Carlet  and  Gouget  [7],  who  showed  that  BCI(n,k)  is  upper  bounded  by 


2^? 


’(?) 


2-(n?tii)-l 


n 

n  —  k  —  1 


n—k 


n 
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puting  correlation  immunity.  _•  ~  r-,  i  i  .  . 

Fig.  2.  Breakdown  or  correlation  immu¬ 
nity  computation  circuit. 


We  further  point  to  [18]  for  an  alternative  representation  of  resilient  functions. 

Unfortunately,  all  of  these  bounds,  and  asymptotics  for  n  — >  oo,  simply  estimate 
counts  of  the  correlation  immune  and  resilient  functions.  They  say  nothing  about  the 
size  of  the  aforementioned  sets  for  a  small  number  of  variables  n.  Indeed,  there  are 
no  known  expressions  for  the  exact  counts  CI(n,  k)  and/or  BCI(n ,  k )  for  n  >  6  (and 
all  k  >  1).  We  show  that  a  reconfigurable  computer,  combined  with  the  theoretical 
results  can  tractably  compute  the  correlation  immunity  of  functions  exhaustively 
along  with  other  cryptographic  properties.  Thus,  we  can  compare  their  correlation 
immune/resilient  properties,  and  compare  against  other  cryptographic  properties, 
such  as  nonlinearity  and  degree. 


4.  Computation  of  correlation  immunity 

A  Verilog  program  was  written  to  compute  the  correlation  immunity  of  Boolean 
functions  on  the  SRC-6  reconfigurable  computer.  Because  of  the  large  logic  resources 
available,  it  was  possible  to  implement  the  correlation  immunity  computation  for 
one  function  per  clock  period.  With  a  clock  frequency  of  100  MHz,  we  can  compute 
a  function’s  correlation  immunity  at  a  rate  of  100,000,000  functions  per  second. 
Later,  we  compare  this  to  a  conventional  processor. 

Fig.  1  shows  a  block  diagram  of  correlation  immunity  computation  circuit.  The 
block  on  the  left  labeled  “Function  Generator”  generates  the  truth  table  of  the 
function  whose  correlation  immunity  is  currently  being  computed.  When  this  circuit 
is  used  in  exhaustive  enumeration,  the  Function  Generator  is  an  up  counter.  The 
block  labeled  “Correlation  Immunity”  is  a  combinatorial  logic  circuit  whose  input 
is  the  truth  table  of  a  function  and  whose  output  is  the  value  of  its  exact  correlation 
immunity.  The  oval  labeled  “Update  Cl  Counter”  represents  that  part  of  the  system 
that  records  the  correlation  immunity.  It  records  each  contribution  to  the  histogram 
of  the  number  of  functions  with  various  values  of  correlation  immunity. 

Fig.  2  shows  a  block  diagram  of  the  combinatorial  logic  block  in  Fig.  1  labeled 
“Correlation  Immunity” .  The  truth  table  of  the  function  under  test  is  applied  on  the 
left  to  n  blocks  labeled  “k  =  a?”,  where  1  <  a  <  n.  Each  block  tests  whether  the 
function  has  correlation  immunity  a  and  produces  a  1  if  and  only  if  the  function  has 
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correlation  immunity  a.  This  output  is  applied  to  a  priority  encoder  that  produces 
at  its  output  a  value  that  is  the  largest  a  such  that  the  block  labeled  “k  =  a?” 
produces  a  1.  m,  the  number  of  lines  in  the  output  bus  labeled  “fc”  is  [~log2  n\  and 
represents  the  number  of  bits  needed  to  represent  a  number  between  0  and  n. 

Fig.  3  shows  the  circuit  that  realizes  the  “fc  =  a?”  circuit  in  Fig.  2.  The  line 
of  blocks  on  the  left  are  circuits  that  separate  out  the  fc'-subsets  of  variables.  The 
blocks  near  the  center  extract  the  truth  table  of  the  subfunctions  associated  with 
assigning  all  combinations  of  values  to  the  variables  in  each  subset.  Then,  the  blocks 
labeled  “Ones  Count”  to  the  right  compute  the  weight  of  each  subfunction.  Then, 
the  single  block  on  the  right  produces  at  is  output  a  1  if  and  only  if  all  weights  are 
the  same.  This  drives  the  “k  =  a?”  output. 


Fig.  3.  Correlation  immunity  circuit. 


5.  Meet  in  the  middle  algorithm 

In  this  section,  we  describe  an  algorithm  that  can  count  the  ?r-variable  fc-correlation 
immune  functions,  using  22"  +°(n)  time  and  space.  Effectively,  n  is  reduced  by  1 
but  a  high  price  is  paid  in  memory.  This  makes  it  unsuitable  for  a  reconfigurable 
computer,  such  as  the  SRC-6.  It  did  serve,  however,  for  completing  the  analysis  for 
n  =  6.  This  algorithm  is  described  in  [17],  but  only  briefly,  so  we  elaborate  here. 

Recall  that  the  conditions  for  fc-immunity  ((i)  of  Theorem  1)  are  linear.  There¬ 
fore,  we  can  split  our  truth  tables  in  two,  and  attempt  to  find  matching  left  and 
right  halves. 

Let  m  =  n  +  Q)  +•••  +  (£)  •  From  the  Walsh-Hadamard  matrix,  extract  the 
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rows  indexed  by  u  with  1  <  wt(u)  <  k,  to  form  .  If  we  write  W =  (A  B), 
the  Walsh-Hadamard  condition  for  fc- immunity  becomes  ( A  B)(x  y)T  =  0,  where 
A,  B  are  m  x  2"_1  matrices  with  ±1  entries,  and  the  column  vector  (x  y)T  is  the 
truth  table  of  f  (in  ±1  form).  Equivalently,  the  two  “signatures”  Ax  and  —  By  must 
match. 

Make  a  list  of  the  2n~1  pairs  ( Ax ,  0)  and  another  list  of  the  2n~1  pairs  (-B y,  1). 
(The  “tag”  (0  or  1)  indicates  which  matrix  the  pair  came  from.)  Sort  the  combined 
lists  lexicographically.  A  first  component  z  that  occurs  r  times  with  a  0  and  s 
times  with  a  1  contributes  rs  to  the  count  of  fc-correlation  immune  functions.  (If 
we  append  x  and  y  to  the  pairs,  the  actual  functions  could  be  produced  as  well.) 

Here  is  an  example.  Take  n  =  2  and  k  =  1.  Then,  A  =  ( [  )  and  —  B  =  ( y1  ] ) . 

Applying  these  two  matrices  to  the  four  vectors  (±1,±1)T,  we  get  two  lists,  each 
with  the  four  vectors  (0,  ±2),  (±2,0).  Thus,  there  are  four  correlation  immune 
functions  of  two  variables. 

To  get  fast  code,  we  can  use  the  following  idea.  If  a,  b  are  ±1  vectors  of  length 
2"_1,  and  u,  v  their  0/1  images  (under  the  map  that  sends  ±1  to  0  and  —1  to  1), 
we  have 

271- 1 

^  aibi  =  2n~1  -  2  wt(u  ©  v). 

i= 1 

For  the  last  term,  bitwise  XOR  can  be  used,  followed  by  a  “l’s  count”  operation. 
Since  our  goal  is  only  to  find  matches,  the  rest  of  the  operations  can  be  skipped. 

Since  0  <  wt(u©  v)  <  2n~1 ,  the  information  payload  in  each  pair  (Ax,  0)  and 
(—By,  1)  can  be  stored  in  a  bit  string  of  length  mn  +  1,  if  encoded  in  a  straightfor¬ 
ward  way. 

We  now  justify  the  time  and  space  claims  made  above.  For  the  Ax’s,  we  need 
m22  bitwise  XOR’s,  and  m22  l’s  counts.  The  same  number  is  needed  for 
the  —By's.  If  we  assume  that  there  are  instructions  for  XOR  and  l’s  count,  the 
complexity  for  this  phase  of  the  algorithm  is  0(m22  ).  Then,  we  sort  the  combined 

table  and  make  a  final  pass  to  count  the  matches.  With  standard  in-place  sorting 
algorithms,  this  costs  0(22  +n ),  if  we  reckon  that  a  comparison  is  one  step.  The 
claimed  bounds  then  follow,  since  rn  <  2". 

If  the  machine  does  not  have  a  l’s  count  instruction,  this  can  be  done  in  software 
at  a  cost  of  0(n)  (remember  the  word  size  is  2n )  [21].  This  will  not  affect  the  result. 

In  practice,  k  will  be  small,  since  the  ^-correlation  immune  functions  could  be 
culled  from  a  list  of  fc-immune  functions  with  k  >  L  Also,  since  the  balance  condition 
is  also  linear,  the  same  idea  works  for  counting  fc-resilient  functions. 

We  implemented  three  variations  on  this  algorithm  for  n  =  6  to  do  specialized 
counting  jobs. 

First,  to  count  the  2-correlation  immune  functions,  we  spread  the  work  over  729 
processors,  using  Wisconsin’s  Condor  distributed  computing  system.  Each  processor 
was  responsible  for  a  subset  of  x’s  and  a  subset  of  y’s,  and  selected  possible  matches 
by  hashing  the  signatures.  The  x’s  and  y’s  were  included  in  the  tuples,  making  it 
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possible  to  verify  alleged  matches.  For  our  partition  of  the  data,  x  and  y  cannot 
match  if  they  are  on  different  processors,  so  the  individual  counts  found  by  the 
processors  could  be  summed  at  the  end. 

Second,  we  counted  the  correlation  immune  functions  with  degree  <  4.  Applying 
the  “esoteric  result”  at  the  beginning  of  Section  2  to  n  =  6,  we  see  that  a  2- 
correlation  immune  function  has  degree  <  5  if  and  only  if  its  ANF  omits  the  quintic 
term  X1X2X3X4X5.  It  can  be  shown  that  this  happens  if  the  “combed”  truth  table 
(result  of  bitwise  AND  with  010101...)  has  even  Hamming  weight.  This  is  another 
linear  condition.  Rather  than  add  a  row  to  our  matrices,  however,  we  just  treated 
the  pairs  with  even  and  odd  combed  Hamming  weights  separately,  and  summed  the 
results.  Conveniently,  with  base  33  encoding,  the  signatures  fit  into  32  bits,  and  the 
maximum  imaginable  signature  (336  —  1)  was  small  enough  that  we  could  sort  by 
counting. 

Finally,  we  counted  the  2-resilient  functions.  To  do  this,  we  used  Camion  et 
al.’s  result  (see  Section  2)  that  the  left  and  right  halves  of  any  2-resilient  truth 
table  are  1-resilient.  Using  this  criterion  as  a  filter,  we  made  a  table  of  2  BCI( 5, 1) 
(about  1.6  x  106)  tagged  signatures,  and  then  sorted  it  to  get  the  desired  count. 
By  Theorem  2,  all  Hamming  weights  are  even,  so  we  stored  halved  weights  (which 
cannot  exceed  16).  There  were  (®)  =  15  of  these,  since  we  only  needed  weight  2 
parities.  Using  base  17  encoding,  each  tagged  signature  fit  into  63  bits.  (Note  that 
1715  <  262.)  Therefore,  64  bit  integer  variables  could  be  used. 

6.  The  computational  results 

Table  2  shows  the  distribution  of  n-variable  functions  by  exact  order  of  correlation 
immunity,  for  2  <  n  <  6.  This  table  clearly  shows  that  the  majority  of  functions  have 
correlation  immunity  0.  The  value  of  correlation  immunity  that  has  the  next  largest 
number  of  functions  is  1.  Also,  Table  2  shows  that,  for  all  values  of  n,  there  are 
two  functions  with  correlation  immunity  n.  These  are  the  constant  functions  /  =  0 
and  /  =  1,  appearing  in  Table  1.  Table  2  also  shows  there  are  two  functions  with 
correlation  immunity  n—1.  These  are  the  parity  functions  /(x)  =  x\  © X2  ®  ■  •  •  © xn 
and  /(x)  =  1  ®  x\  ®  X2  ®  ■  •  •  ®  xn,  also  shown  in  Table  1. 


Table  2.  Distribution  of  n-variable  functions  by  exact  correlation  immunity,  fe,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

12 

2 

2 

0 

0 

0 

0 

3 

238 

14 

2 

2 

0 

0 

0 

4 

64888 

636 

8 

2 

2 

0 

0 

5 

4291827234 

3139004 

1044 

10 

2 

2 

0 

6 

18446240589943529428 

503483719470800 

46549718 

1654 

12 

2 

2 

The  complete  data  for  n  =  6  is  certainly  new.  We  can,  however,  sum  the  func- 
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tions  with  correlation  immunity  greater  than  0,  and  thus  derive  the  number  of 
correlation  immune  functions.  The  result  is  shown  in  Table  3.  These  values  are 
identical  to  those  computed  by  Palmer  et  al.  [19])  and  Le  Bars  and  Viola  [16], 
which  verifies  our  results.  The  number  of  correlation  immune  functions  for  n  =  7  is 
also  known;  it  is  171522187398423323340476473786538  [16]. 

Table  3.  Number  of  n-variable  correlation  immune  and  resilient  functions,  for  2  <  n  <  6. 


n 

2 

3 

4 

5 

6 

Cor.  Innn. 

4 

18 

648 

3140062 

503483766022188 

Resilient 

2 

8 

222 

807980 

95259103924394 

Table  4  shows  the  distribution  of  n-variable  balanced  functions  to  exact  corre¬ 
lation  immunity,  where  2  <  n  <  6.  This  data  is  similar  to  that  shown  in  Table  2, 
except  that  it  applies  only  to  balanced  functions  (whose  function  values  have  as 
many  0’s  as  l’s).  Thus,  this  table  shows  only  the  resilient  functions.  Note  that  there 
are  no  resilient  functions  with  correlation  immunity  n.  The  only  possible  candidates 
are  the  constant  functions  in  in  Table  4,  which  are  not  balanced.  However,  there 
are  two  functions  with  correlation  immunity  n  —  1  in  these  tables.  These  are  the 
parity  functions,  which  are  balanced.  From  the  above  enumeration,  we  can  sum  the 
functions  with  correlation  immunity  greater  than  0,  and  thus  compute  the  number 
of  correlation  immune  functions  that  are  balanced.  These  are  the  resilient  functions. 
The  result  is  shown  in  the  second  line  in  Table  3.  The  values  are  identical  to  those 
appearing  in  [19]  and  in  [16].  Le  Bars  and  Viola  [16]  have  also  determined  that 
there  are  23478015754788854439497622689296  1-resilient  functions  for  n  =  7. 

Table  4.  Distribution  of  n-variable  balanced  functions  by  exact  resiliency,  k,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

4 

2 

0 

0 

0 

0 

0 

3 

62 

6 

2 

0 

0 

0 

0 

4 

12648 

212 

8 

2 

0 

0 

0 

5 

600272410 

807428 

540 

10 

2 

0 

0 

6 

1832120657223119734 

503483702719940 

16749696 

1150 

12 

2 

0 

A  function  /  is  rotation  symmetric  [11]  if  and  only  if  for  any  values 

(xi  ,  X2  5  •  •  •  5  3Cjl)  5 

f(x  1,X2,  •  ■  .,X„)  =  f(xn,x !,x2,  ■  ■  ■  ,arn_i);  (3) 

that  is,  the  function  is  invariant  under  rotation  of  indices. 

Example  2.  The  four  functions  /(x)  =  0,  /(x)  =  1,  /(x)  =  X\  ©  x2  ®  ■  •  •  ®  xn, 
and  /(x)  =  1  ®  Xi  ©  x%  ®  •  •  •  ©  xn  (for  all  xgFJ)  are  all  rotation  symmetric. 
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Table  5.  Distribution  of  n-variable  rotation  symmetric  functions  versus  exact  correlation  immunity 
k  and  n,  for  2  <  n  <  6. 


n  /  k 

0 

1 

2 

3 

4 

5 

6 

2 

4 

2 

2 

0 

0 

0 

0 

3 

10 

2 

2 

2 

0 

0 

0 

4 

48 

12 

0 

2 

2 

0 

0 

5 

214 

34 

4 

0 

2 

2 

0 

6 

14656 

1686 

36 

2 

0 

2 

2 

Table  5  shows  the  distribution  of  n-variable  balanced  functions  to  exact  corre¬ 
lation  immunity  k  for  rotation  symmetric  functions.  The  fraction  of  all  functions 
that  are  rotation  symmetric  functions  is  small,  and  this  is  seen  in  the  table.  It 
is  interesting  that,  for  correlation  immunity  equal  to  n  and  n  —  1,  there  are  two 
functions  for  all  values  of  n  shown.  This  is  because  all  functions  with  these  values 
of  correlation  immunity  are  rotation  symmetric.  Indeed,  all  of  these  functions  are 
symmetric,  which  is  a  subtype  of  rotation  symmetric  functions. 

Table  6  shows  the  distribution  of  4-variable  functions  as  a  function  of  both 
correlation  immunity  and  nonlinearity.  The  computation  of  the  nonlinearity  by  re- 
configurable  computer  is  described  in  [27].  So,  for  each  function  we  compute  its 
correlation  immunity,  as  described  in  this  paper  and  its  nonlinearity,  as  described 
in  [27].  The  functions  with  largest  nonlinearity  are  the  bent  functions;  for  n  =  4, 
there  are  896  bent  functions.  As  with  the  distributions  discussed  earlier,  the  major¬ 
ity  of  functions  have  a  correlation  immunity  of  0.  But,  in  this  table,  it  can  be  seen 
how  the  functions  are  distributed  according  to  nonlinearity.  Most  functions  have 
nonlinearity  near  the  middle  values,  3  through  5.  And,  most  of  these  are  concen¬ 
trated  along  the  value  of  correlation  immunity  equal  to  0.  It  is  interesting  that  the 
largest  concentration  of  functions  with  the  highest  correlation  immunity  (1  only) 
and  relatively  high  nonlinearity  occur  at  nonlinearity  4. 

Table  6.  Distribution  of  n-variable  functions  versus  exact  correlation  immunity  k  and  nonlinearity 
( N ),  for  n  =  4. 


N  /  k 

0 

1 

2 

3 

4 

0 

8 

12 

8 

2 

2 

1 

512 

0 

0 

0 

0 

2 

3712 

128 

0 

0 

0 

3 

17920 

0 

0 

0 

0 

4 

27504 

496 

0 

0 

0 

5 

14336 

0 

0 

0 

0 

6 

896 

0 

0 

0 

0 

Table  7  shows  data  similar  to  that  of  Table  6  except  that  it  is  for  n  —  5. 
Interestingly,  there  are  a  relatively  substantial  number  of  functions,  that  is  384, 
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Table  7.  Distribution  of  n- variable  functions  versus  exact  correlation  immunity  k  and  nonlinearity 
(N),  for  n  =  5. 


N  /  k 

0 

1 

2 

3 

4 

5 

0 

10 

20 

20 

10 

2 

2 

1 

2048 

0 

0 

0 

0 

0 

2 

31232 

512 

0 

0 

0 

0 

3 

317440 

0 

0 

0 

0 

0 

4 

2278400 

23040 

0 

0 

0 

0 

5 

12888064 

0 

0 

0 

0 

0 

6 

57873920 

122368 

0 

0 

0 

0 

7 

215414784 

0 

0 

0 

0 

0 

8 

645867160 

1799080 

640 

0 

0 

0 

9 

1362452480 

0 

0 

0 

0 

0 

10 

1411209216 

890880 

0 

0 

0 

0 

11 

556408832 

0 

0 

0 

0 

0 

12 

27083648 

303104 

384 

0 

0 

0 

with  the  highest  nonlinearity  12  and  moderate  correlation  immunity  2. 

Table  8  shows  the  distribution  of  4-variable  functions  versus  exact  correlation 
immunity  k  and  degree.  High  degree  in  Boolean  functions  is  a  desired  cryptographic 
property.  The  computation  of  degree  is  accomplished  using  the  “transeunt  triangle” 
[27].  This  is  a  circuit  consisting  entirely  of  exclusive  OR  gates  that  transforms  the 
truth  table  of  a  function  to  its  ANF.  Additional  gates  extract  from  the  ANF  a 
binary  number  that  is  the  degree  of  the  function.  So,  for  each  function,  we  compute 
its  correlation  immunity,  as  described  in  this  paper  and  its  degree  as  described 
here.  Table  9  shows  a  distribution  similar  to  that  of  Table  8  except  that  it  is  for 
5-variable  functions.  There  are  a  relatively  substantial  number  of  functions  (384) 
with  moderate  degree  (3)  and  moderate  exact  correlation  immunity  (2). 


Table  8.  Distribution  of  n-variable  functions  versus  correlation  immunity  k  and  degree  (Deg),  for 
n  =  4. 


Deg  /  k 

0 

1 

2 

3 

4 

0 

0 

0 

0 

0 

2 

1 

8 

12 

8 

2 

0 

2 

1712 

304 

0 

0 

0 

3 

30400 

320 

0 

0 

0 

4 

32768 

0 

0 

0 

0 

In  Table  10,  the  rows  for  d  <  3  were  computed  on  the  SRC-6.  This  was  combined 
with  the  count  of  2-correlation  immune  functions  to  complete  the  k  =  2  column. 
Since  the  number  of  1-correlation  immune  functions  is  known,  the  total  for  d  <  4 
and  k  >  1  could  be  used  to  complete  the  k  =  1  column.  The  remaining  column  was 
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Table  9.  Distribution  of  n-variable  functions  versus  exact  correlation  immunity  k  and  degree  (Deg), 
for  n  =  5. 


Deg  /  k 

0 

1 

2 

3 

4 

5 

0 

0 

0 

0 

0 

0 

2 

1 

10 

20 

20 

10 

2 

0 

2 

59736 

5096 

640 

0 

0 

0 

3 

65478976 

1563968 

384 

0 

0 

0 

4 

2078804864 

1569920 

0 

0 

0 

0 

5 

2147483648 

0 

0 

0 

0 

0 

Table  10.  Distribution  of  n-variable  functions  versus  exact  correlation  immunity  k  and  degree 
(Deg),  for  n  =  6. 


Deg  /  k 

0 

1 

2 

3 

4 

5 

6 

0 

0 

0 

0 

0 

0 

0 

2 

1 

12 

30 

40 

30 

12 

2 

0 

2 

3760424 

417512 

15000 

1240 

0 

0 

0 

3 

4388747656096 

9270073536 

24586784 

384 

0 

0 

0 

4 

143859057441024156 

251732566372708 

21947904 

0 

0 

0 

0 

5 

9079005106896312932 

251741882607004 

0 

0 

0 

0 

0 

6 

9223372036854775808 

0 

0 

0 

0 

0 

0 

Total 

18446240589943529428 

503483719470790 

46549728 

1654 

12 

2 

2 

determined  by  subtraction. 

Table  11  shows  the  time  it  takes  to  do  the  exhaustive  enumeration  across  4  vari¬ 
ables.  The  first  row  shows  that  0.655  msec,  is  needed  to  complete  the  enumeration 
on  the  SRC-6  reconfigurable  computer;  this  corresponds  to  one  function  per  clock 
cycle  of  a  100  MHz  clock.  The  second  row  shows  that  1,238.7  msec,  is  needed  when 
a  C  program  is  compiled  into  Verilog  using  the  SRC-6’s  compiler  and  run  on  the 
SRC-6’s  FPGA  (Xilinx  Virtex-II  Series  6000).  The  third  row  shows  that  190  msec, 
is  needed  by  the  same  C  program  when  it  is  run  on  a  conventional  processor  (the 
SRC-6’s  2.8  GHz  Xeon  microprocessor).  The  small  time  required  in  the  case  of  a 
Verilog  program  shows  a  significant  advantage  in  using  the  large  logic  resources  of 
an  FPGA.  Compared  to  the  conventional  processor  time,  the  SRC-6  programmed 
in  Verilog  has  a  190  times  speedup. 


Table  11.  Comparing  computation  time  for  correlation  immunity  over  all  4- variable  functions. 


Computer/ 

Time 

Program 

(msec.) 

100  MHz  FPGA /Verilog 

0.655 

100  MHz  FPGA/C 

1,238.7 

2.8  GHz  Xeon/C 

190 
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7.  Concluding  Remarks 

Correlation  immunity  is  an  important  cryptographic  property  of  Boolean  functions. 
We  show  a  fast  circuit  that  allows  a  computation  of  correlation  immunity  of  Boolean 
functions  at  a  rate  of  10s  functions  per  second  on  the  SRC-6  reconfigurable  com¬ 
puter.  In  the  case  of  4-variable  functions,  this  results  in  a  190  times  speedup  com¬ 
pared  to  a  conventional  computer.  For  the  first  time  ever  we  are  able  to  find  the 
distribution  of  6  variable  functions  versus  the  order  of  correlation  immunity.  We 
also  can  quickly  analyze  and  compare  Boolean  functions  on  the  basis  of  their  cryp¬ 
tographic  properties.  Specifically,  we  compare  correlation  immunity  with  two  other 
cryptographic  properties,  nonlinearity  and  degree,  and  obtain  for  the  first  time,  a 
complete  distribution  of  such  functions  for  <  6  dimensions. 
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